The table below describes the significant fields shown in the display.

Table 3 show parameter-map type inspect-vrf Field Descriptions

Field

Description

total_session_cnt

Total session count.

exceed_cnt

Number of sessions that exceeded the configured session count.

tcp_half_open_cnt

TCP half-open sessions configured for each VRF. When the configured session limit is reached, the TCP synchronization (SYN) cookie verifies the source of the half-open TCP sessions before creating more sessions. A TCP half-open session is a session that has not reached the established state.

syn_exceed_count

Number of SYN packets that exceeded the configured SYN flood rate limit.

Related Commands

Command

Description

parameter-maptypeinspect-vrf

Configures an inspect VRF type parameter map.

show parameter-map type inspect-zone

To display information about the configured inspect zone-type parameter map, use the
showparameter-maptypeinspect-zone command in user EXEC or privileged EXEC mode.

showparameter-maptypeinspect-zone
[ name | default ]

Syntax Description

name

(Optional) Name of the inspect zone-type parameter map.

default

(Optional) Specifies the default inspect zone-type parameter map.

Command Default

This command has no default settings.

Command Modes

User EXEC (>)
Privileged EXEC(#)

Command History

Release

Modification

Cisco IOS XE Release 3.3S

This command was introduced.

Examples

The following is sample output from the
showparameter-maptypeinspect-zone command:

show parameter-map type ooo global

Syntax Description

This command has no arguments or keywords.

Command Modes

Privileged EXEC (#)

Command History

Release

Modification

15.0(1)M

This command was introduced.

Usage Guidelines

The output of the show parameter-map type ooo global command displays configurations related to OoO packet
processing. If you do not configure the parameter-map type ooo global command, the output of the show parameter-map type ooo global command displays default values of the OoO packet-processing parameters.

Examples

The following is sample output from the show parameter-map type ooo global command:

(Optional) Displays the protocol information of Session Traversal Utilities for Network Address Translation (NAT) and Interactive Connectivity Establishment (STUN-ICE). STUN is an Internet standards-track suite of methods, including a network protocol, used in NAT traversal for applications of real-time voice, video, messaging, and other interactive IP communications. ICE is a technique used in computer networking involving NATs in Internet applications of VoIP, peer-to-peer communications, video, instant messaging, and other interactive media. In such applications, NAT traversal is an important component to facilitate communications involving hosts on private network installations, which often are located behind firewalls.

Command Modes

Privileged EXEC (#)

Command History

Release

Modification

12.4(11)T

This command was introduced.

12.4(22)T

The command was modified. The stun-ice keyword was added.

15.1(4)M

This command was modified. The msrpc keyword was added.

Examples

The following is sample output from the showparameter-maptypeprotocol-info command. The fields are self-explanatory.

show parser view

Syntax Description

(Optional) Displays information about all CLI views that are configured on the router.

Command Modes

Privileged EXEC (#)

Command History

Release

Modification

12.3(7)T

This command was introduced.

12.2(33)SRB

This command was integrated into Cisco IOS Release 12.2(33)SRB.

Cisco IOS XE Release 2.1

This command was integrated into Cisco IOS XE Release 2.1

12.2(33)SXI

This command was integrated into Cisco IOS Release 12.2(33)SXI.

Usage Guidelines

The showparserviewcommand will display information only about the view that the user is currently in. This command is available for both root view users and lawful intercept view users--except for the all keyword, which is available only to root view users. However, the all keyword can be configured by a user in root view to be available for users in lawful intercept view.

The showparserview command cannot be excluded from any view.

Examples

The following example shows how to display information from the root view and the CLI view "first":

Router# enable view
Router#
01:08:16:%PARSER-6-VIEW_SWITCH:successfully set to view 'root'.
Router#
! Enable the show parser view command from the root view
Router# show parser view
Current view is 'root'
! Enable the show parser view command from the root view to display all views
Router# show parser view all
Views Present in System:
View Name: first
View Name: second
! Switch to the CLI view "first."
Router# enable view first
Router#
01:08:09:%PARSER-6-VIEW_SWITCH:successfully set to view 'first'.
! Enable the show parser view command from the CLI view "first."
Router# show parser view
Current view is 'first'

Number of
acknowledgment (ACK) requests that exceeded the configured limit.

Num of RST
exceeds limit

Number of
reset (RST) requests that exceeded the configured limit.

VRF Global
Action Block

Information about the global virtual routing and forwarding
(VRF) instance.

half-open

Information about the half-opened firewall sessions.

aggr-age
high watermark low watermark

Information about the aggressive-aging high and low watermarks.
Firewall sessions are aggressively aged to make room for new sessions, thereby
protecting the firewall session database from filling. Aggressive aging period
starts when the session table crosses the high watermark and ends when it falls
below the low watermark.

Related Commands

show platform hardware qfp feature firewall datapath

Displays
information about the firewall datapath in the Cisco QFP.

show platform hardware qfp feature firewall drop

Displays
information about the firewall packet drops in the Cisco QFP.

show platform
hardware qfp feature firewall datapath scb

To display
information about the session control block of the Cisco Quantum Flow Processor
(QFP), use the
show platform hardware qfp
feature firewall datapath scb command in privileged EXEC mode.

show platform software ipsec fp active spd-map

To display information about the active instances of IPsec Security Policy Database (SPD) map objects in the Embedded Service Processor (ESP), use the show platform software ipsec fp active spd-map command in privileged EXEC mode.

showplatformsoftware ipsecfpactivespd-map { all | identifiernumber }

Syntax Description

all

Displays information about all active IPsec flows in the instance.

identifiernumber

Displays information about the specified IPsec flow in the instance. The range is from 0 to 4294967295.

Command Modes

Privileged EXEC (#)

Command History

Release

Modification

Cisco IOS XE Release 3.9S

This command was introduced on Cisco ASR 1000 Series Routers.

Usage Guidelines

SPD is an ordered list of policies applied to traffic. A policy decides if a packet requires IPsec processing, if should be allowed in clear text, or should be dropped. The IPsec SPDs are derived from user configuration of crypto maps. The Internet Key Exchange (IKE) SPD is configured by the user.

Examples

The following is sample output from the show platform software ipsec fp active spd-map all command:

Related Commands

Displays information about active instances of IPsec flows in the ESP.

show platform software urpf qfp active configuration

To confirm and display the Unicast Reverse Path Forwarding (uRPF) configuration on a forwarding processor of the Cisco ASR 1000 Series Aggregation Services Routers, use the
show platform software urpf qfp active configuration command in the privileged EXEC mode.

Syntax Description

Command Modes

Privileged EXEC (#)

Command History

Release

Modification

Cisco IOS XE Release 2.0S

This command was introduced on the Cisco ASR 1000 Series Aggregation Services Routers.

Usage Guidelines

The uRPF configuration on an IPv4 or IPv6 interface is downloaded from the route processor to a forwarding processor and the configuration is reflected on the forwarding processor. Use the
show platform software urpf qfp active configuration command to display the uRPF configuration on a forwarding processor.

Examples

The following is a sample output of the
show platform software urpf qfp active configuration command:

Command Default

Privileged EXEC (#)

Command History

Release

Modification

15.1(1)T

This command was introduced.

Usage Guidelines

Use this command to display the global connection statistics and the statistics per protocol in Layer 4 or Layer 7 for each policy or zone pair. Use the
debugpolicy-firewallmib command to toggle on or off the support for MIBs in zone-based policy firewalls.

Examples

The following is sample output from five versios of the
showpolicy-firewallmibcommand:

Command Modes

Command History

Release

Modification

15.1(1)T

This command was introduced.

15.1(4)M

This command was modified. The
msrpc keyword was added.

15.2(3)T

This command was modified. The
ha keyword was added.

Usage Guidelines

Use the
showpolicy-firewallsession command to display session details. Session details can be either global, zone pair-specific, or MSRPC-specific. Global session details incorporate information about all sessions created by the firewall, and zone pair-specific details that pertain to each zone pair.

Examples

The following is sample output from the
showpolicy-firewallsession command:

The table below describes the significant fields shown in the display.

Table 28 show policy-firewall session Field Descriptions

Field

Description

Number of Established Sessions

Number of established sessions. A session is established when traffic flows between the sessions.

Number of Half-open Sessions

Number of half-opened sessions. A TCP session that has not yet reached the established state is called a half-opened session.

Number of Terminating Sessions

A link or session between a pair of devices that get closed. The terminating side waits for a timeout and closes the connection between the devices. After the connection is closed, the local port of the terminating side will not be available for new connections.

The following is sample output from the
showpolicy-firewallsession
zone-pair ha command:

show policy-firewall stats

To display the statistics of the firewall activity on the router, use the showpolicy-firewallstats command in privileged EXEC mode.

showpolicy-firewallstats
[ all | drop-counters | zone-pair [name] ]

Syntax Description

all

(Optional) Displays all firewall statistics on the router.

drop-counters

(Optional) Displays the number of packets dropped for each error code.

zone-pairname

(Optional) Displays statistics pertaining to zone-pair.

Command Default

Privileged EXEC (#)

Command History

Release

Modification

15.1(1)T

This command was introduced.

Usage Guidelines

This command provides the statistics of all the firewall activity on the router. The command displays the box-wide statistics or the statistics for each zone pair. To get all statistics, use the all keyword. Use the drop-counters keyword to display the packets dropped and grouped by their error codes. The output displays only the error codes for which the drop counter is greater than zero. If the number of packets dropped is similar for multiple error codes, the error codes are sorted in alphabetical order.

Examples

The following is sample output from the showpolicy-firewallstats command. The field descriptions are self-explanatory.

TCP half-open sessions configured at a global VRF level. When the configured session limit is reached, the TCP synchronization (SYN) cookie verifies the source of the half-open TCP sessions before creating more sessions. A TCP half-open session is a session that has not reached the established state.

syn_exceed_cnt

Number of SYN packets that exceeded the configured SYN flood rate limit.

Related Commands

Command

Description

clearpolicy-firewallstatsvrfglobal

Clears the global VRF policy firewall statistics.

show policy-firewall stats zone

To display policy firewall statistics at a zone level, use the
showpolicy-firewallstatszonecommand in user EXEC or privileged EXEC mode.

showpolicy-firewallstatszone [zone-name]

Syntax Description

zone-name

(Optional) Zone name.

Command Modes

User EXEC (>)

Privileged EXEC (#)

Command History

Release

Modification

Cisco IOS XE Release 3.3S

This command was introduced.

Cisco IOS XE Release 3.4S

This command was modified. The command output was modified to display threat detection statistics.

Examples

The following is sample output from the
show
policy-firewall
stats
zone
command:

The table below describes the significant fields shown in the display.

Table 32 show policy-map type inspect Field Descriptions

Field

Description

p_inside

Name of the policy map.

Description

Description of the policy map.

Class

Name of the class map.

Pass

Allows packets to be sent to the router without being inspected.

show policy-map type inspect urlfilter

To display the details of a URL filtering policy map, use the
showpolicy-maptypeinspecturlfilter command in privileged EXEC mode.

showpolicy-maptypeinspecturlfilter [policy-map-name]

Syntax Description

policy-map-name

(Optional) Name of the policy map for which details are displayed.

Command Default

The details of all URL filtering policy maps are displayed.

Command Modes

Privileged EXEC (#)

Command History

Release

Modification

12.4(15)XZ

This command was introduced.

12.4(20)T

This command was integrated into Cisco IOS Release 12.4(20)T.

Usage Guidelines

Use the
showpolicy-maptypeinspecturlfiltercommand to display the details of all URL filtering policy maps. To display the details of a particular URL filtering policy map, specify the name of the policy map.

The output of the
show ip urlfilter cache
command displays the pages cached by a device.

Examples

The following is sample output from the
showpolicy-maptypeinspecturlfilter command for a policy map named websense-policy:

show policy-map type inspect zone-pair

To display runtime inspect type policy map statistics and other information such as sessions existing on a specified zone pair, use the
showpolicy-maptypeinspectzone-paircommand in privileged EXEC mode.

Syntax Description

(Optional) Zone pair for which the system displays the runtime inspect type policy-map statistics.

sessions

(Optional) Displays stateful packet inspection sessions created because a policy map is applied on the specified zone pair.

ipv6

(Optional) Displays information about the IPv6 session.

destination destination-ip

(Optional) Displays information about the destination IPv4 or IPv6 address of the session.

source source-ip

(Optional) Displays information about the source IPv4 or IPv6 address of the session.

Command Default

Information about policy maps for all zone pairs is displayed.

Command Modes

Privileged EXEC (#)

Command History

Release

Modification

12.4(6)T

This command was introduced.

12.4(9)T

This command was modified. The output was enhanced to display the police action configuration.

12.4(15)XZ

This command was integrated into Cisco IOS Release 12.4(15)XZ and implemented on the following platforms: Cisco 881 and Cisco 888.

Cisco IOS XE Release 3.1S

This command was integrated into Cisco IOS XE Release 3.1S.

Cisco IOS XE Release 3.4S

This command was modified. The output was enhanced to display the General Packet Radio Service (GPRS) Tunneling Protocol (GTP) configuration.

Cisco IOS XE Release 3.6S

This command was modified. The output was enhanced to display both IPv4 and IPv6 firewall sessions.

Cisco IOS XE Release 3.9S

This command was modified. The destination, ipv6, and source keywords and thedestination-ip and source-ip arguments were added.

Usage Guidelines

If you do not specify a zone-pair name, policy maps on all zone pairs are displayed.

When packets are matched to an access group (matchaccess-group), a protocol (matchprotocol), or a class map (matchclass-map), a traffic rate is generated for these packets. In a zone-based firewall policy, only the first packet that creates a session matches the policy. Subsequent packets in this flow do not match the filters in the configured policy, but instead match the session directly. The statistics related to subsequent packets are shown as part of the “inspect” action and are displayed using the
showpolicy-maptypeinspectzone-pairsessions command.

Command Limitations

The cumulative counters in the
showpolicy-maptypeinspectzone-pair command output do not increment for
match statements in a nested class map configuration in Cisco IOS Releases 12.4(15)T and 12.4(20)T. The problem with the counters exists regardless of whether the top-level class map uses the
match-any or
match-all keyword.

In the preceding sample output, the information displayed below the Class-map field is the traffic rate (bits-per-second) of the traffic belonging to only the connection-initiating traffic. Unless the connection setup rate is significantly high and sustained for multiple intervals over which the rate is computed, no significant data is shown for the connection.

The following sample output from the
showpolicy-maptypeinspectzone-pair sessionscommand displays IPv6 firewall sessions:

Displays all the secure MAC addresses that are configured on all the switch interfaces or on a specified interface with aging information for each address.

vlan

Virtual LAN.

Command Default

This command has no default settings.

Command Modes

EXEC

Command History

Release

Modification

12.2(14)SX

Support for this command was introduced on the Supervisor Engine 720.

12.2(17d)SXB

Support for this command on the Supervisor Engine 2 was extended to Release 12.2(17d)SXB.

12.2(18)SXE

The
address keyword was added to display the maximum number of MAC addresses configured per VLAN on a trunk port on the Supervisor Engine 720 only.

12.2(33)SRA

This command was integrated into Cisco IOS release 12.(33)SRA.

Usage Guidelines

The
vlan keyword is supported on trunk ports only and displays per-Vlan maximums set on a trunk port.

The
interface-number argument designates the module and port number. Valid values for
interface-number depend on the specified interface type and the chassis and module that are used. For example, if you specify a Gigabit Ethernet interface and have a 48-port 10/100BASE-T Ethernet module that is installed in a 13-slot chassis, valid values for the module number are from 1 to 13 and valid values for the port number are from 1 to 48.

Examples

This example shows the output from the
showport-security command when you do not enter any options:

Related Commands

show ppp queues

To monitor the number of requests processed by each authentication, authorization, and accounting (AAA) background process, use theshowpppqueuescommand inprivilegedEXEC mode.

showpppqueues

Syntax Description

This command has no arguments or keywords.

Command Modes

Privileged EXEC

Command History

Release

Modification

11.3(2)AA

This command was introduced.

12.2(33)SRA

This command was integrated into Cisco IOS release 12.(33)SRA.

12.2SX

This command is supported in the Cisco IOS Release 12.2SX train. Support in a specific 12.2SX release of this train depends on your feature set, platform, and platform hardware.

Usage Guidelines

Use the
showpppqueues command to display the number of requests handled by each AAA background process, the average amount of time it takes to complete each request, and the requests still pending in the work queue. This information can help you balance the data load between the network access server and the AAA server.

This command displays information about the background processes configured by the
aaaprocesses global configuration command. Each line in the display contains information about one of the background processes. If there are AAA requests in the queue when you enter this command, the requests will be printed as well as the background process data.

Syntax Description

(Optional) Displays information about the interface on which the PPPoE session is active.

packets

(Optional) Displays packet statistics for the PPPoE session.

ipv6

(Optional) Displays PPPoE session packet statistics for IPv6 traffic

Command Modes

Privileged EXEC (#)

Command History

Release

Modification

12.2(4)YG

This command was introduced on the Cisco SOHO 76, 77, and 77H routers.

12.3(4)T

This command was integrated into Cisco IOS Release 12.3(4)T and was enhanced to display information about relayed PPPoE Active Discovery (PAD) messages.

12.2(28)SB

This command was integrated into Cisco IOS Release 12.2(28)SB and support was added for the Cisco 7200, 7301, 7600, and 10000 series platforms.

12.2(31)SB2

This command was integrated into Cisco IOS Release 12.2(31)SB2 and the output following the use of the
all keyword was modified to indicate if a session is Interworking Functionality (IWF)-specific or if the
tagppp-max-payload tag is in the discovery frame and accepted.

This command was integrated into Cisco IOS Release 12.4(15)T to support VMIs in Mobile Ad Hoc Router-to-Radio Networks (MANETs).

12.2(33)SRC

This command was integrated into Cisco IOS Release 12.2(33)SRC.

Cisco IOS XE Release 2.5

This command was implemented on Cisco ASR 1000 series routers.

Cisco IOS XE Release 3.5S

This command was modified. The ipv6 keyword was added.

Examples

The following is sample output from the show pppoe session command:

Router# show pppoe session
1 session in FORWARDED (FWDED) State
1 session total

Uniq ID

PPPoE SID

RemMAC

Port

VT

VA

State

LocMAC

VA-st

26

19

0001.96da.a2c0

Et0/0.1

5

N/A

RELFWD

000c.8670.1006

VLAN:3434

Examples

The following is sample output from the
showpppoesession command when there is an IWF session and the ppp-max-payload tag is accepted in the discovery frame (available in Cisco IOS Release 12.2(31)SB2):

Router# show pppoe session
1 session in LOCALLY_TERMINATED (PTA) State
1 session total. 1 session of it is IWF type

Uniq ID

PPPoE SID

RemMAC

Port

VT

VA

State

LocMAC

VA-st

Type

26

21

0001.c9f2.a81e

Et1/2

1

Vi2.1

PTA

0006.52a4.901e

UP

IWF

The table below describes the significant fields shown in the displays.

Table 35 show pppoe session Field Descriptions

Field

Description

Uniq ID

Unique identifier for the PPPoE session.

PPPoE SID

PPPoE session identifier.

RemMAC

Remote MAC address.

Port

Port type and number.

VT

Virtual-template interface.

VA

Virtual access interface.

State

Displays the state of the session, which will be one of the following:

FORWARDED

FORWARDING

LCP_NEGOTIATION

LOCALLY_TERMINATED

PPP_START

PTA

RELFWD (a PPPoE session was forwarded for which the Active discovery messages were relayed)

SHUTTING_DOWN

VACCESS_REQUESTED

LocMAC

Local MAC address.

Examples

The following example shows information per session for the
showpppoesessionall command.

The first section of statistics lists cumulative statistics from the local authenticator.

The second section lists statistics for each access point (NAS) authorized to use the local authenticator. The EAP-FAST statistics in this section include the following:

Auto provision success--the number of PACs generated automatically

Auto provision failure--the number of PACs not generated because of an invalid handshake packet or invalid username or password

PAC refresh--the number of PACs renewed by clients

Invalid PAC received--the number of PACs received that were expired, that the authenticator could not decrypt, or that were assigned to a client username not in the authenticator’s database

The third section lists stats for individual users. If a user is blocked and the lockout time is set to infinite, blocked appears at the end of the stat line for that user. If the lockout time is not infinite, Unblocked in x seconds appears at the end of the stat line for that user.

Use the clearradiuslocal-serverstatistics command in privileged EXEC mode to reset local authenticator statistics to zero.

Related Commands

Command

Description

blockcount

Configures the parameters for locking out members of a group to help protect against unauthorized attacks.

clearradiuslocal-server

Clears the statistics display or unblocks a user.

debugradiuslocal-server

Displays the debug information for the local server.

group

Enters user group configuration mode and configures shared setting for a user group.

nas

Adds an access point or router to the list of devices that use the local authentication server.

radius-serverhost

Specifies the remote RADIUS server host.

radius-serverlocal

Enables the access point or router to be a local authentication server and enters into configuration mode for the authenticator.

reauthenticationtime

Specifies the time (in seconds) after which access points or wireless-aware routers must reauthenticate the members of a group.

ssid

Specifies up to 20 SSIDs to be used by a user group.

user

Authorizes a user to authenticate using the local authentication server.

vlan

Specifies a VLAN to be used by members of a user group.

show radius server-group

To display properties for the RADIUS server group, use the
showradiusserver-group command in user EXEC or privileged EXEC mode.

showradiusserver-group
{ server-group-name | all | 123 }

Syntax Description

server-group-name

Displays properties for the server group named. The character string used to name the group of servers must be defined using the
aaagroupserverradiuscommand.

all

Displays properties for all the server group.

server

Displays properties for a specific server or servers in the group.

Command Modes

User EXEC (>)
Privileged EXEC (#)

Command History

Release

Modification

12.2(2)T

This command was introduced.

12.2(33)SRA

The
server argument was introduced.

Usage Guidelines

Use the
showradiusserver-group command to display the server groups that you defined by using the
aaagroupserverradius command.

Examples

The following
showradiusserver-group command output displays properties for the server group "rad_sg":

The following
showradiusserver-group command output displays the properties for two server groups, 123 and 456, respectively. Using the
aaagroupserverradius command, the configuration of each server group is also shown.

The table below describes the significant fields shown in the display.

Table 36 show radius server-group command Field Descriptions

Field

Description

Server group

Name of the server group.

Sharecount

Number of method lists that are sharing this server group. For example, if one method list uses a particular server group, the sharecount would be 1. If two method lists use the same server group, the sharecount would be 2.

sg_unconfigured

Server group has been unconfigured.

Type

The type can be either "standard" or "nonstandard". The type indicates whether the servers in the group accept nonstandard attributes. If all servers within the group are configured with the nonstandard option, the type will be shown as "nonstandard".

Memlocks

An internal reference count for the server-group structure that is in memory. The number represents how many internal data structure packets or transactions are holding references to this server group. Memlocks is used internally for memory management purposes.

Maximum number of entries allowed in the queue that holds the RADIUS messages not yet sent.

Maximum waitQ length

Maximum number of entries allowed in the queue that holds the RADIUS messages that have been sent and are waiting for a response.

Maximum doneQ length

Maximum number of entries allowed in the queue that holds the messages that have received a response and will be forwarded to the code that is waiting for the messages.

Total responses seen

Number of RADIUS responses seen from the server. In addition to the expected packets, the number includes repeated packets and packets that do not have a matching message in the waitQ.

Packets with responses

Number of packets that received a response from the RADIUS server.

Packets without responses

Number of packets that never received a response from any RADIUS server.

Access Rejects

Number of times access requests have been rejected by a RADIUS server.

Average response delay

Average time, in milliseconds (ms), from when the packet was first transmitted to when it received a response. If the response timed out and the packet was sent again, this value includes the timeout. If the packet never received a response, this value is not included in the average.

Maximum response delay

Maximum delay, in ms, observed while gathering the average response delay information.

Number of RADIUS timeouts

Number of times a server did not respond and the RADIUS server re-sent the packet.

Duplicate ID detects

RADIUS has a maximum of 255 unique IDs. In some instances, there can be more than 255 outstanding packets. When a packet is received, the doneQ is searched from the oldest entry to the youngest. If the IDs are the same, further techniques are used to see if this response matches this entry. If this response does not match, the duplicate ID detect counter is increased.

Buffer Allocation Failures

Number of times the buffer failed to get allocated.

Maximum Buffer Size (bytes)

Displays the maximum size of the buffer.

Malformed Responses

Number of corrupted responses, mostly due to bad authenticators.

Bad Authenticators

Number of authentication failures due to shared secret mismatches.

Source Port Range: (2 ports only)

Displays the port numbers.

Last used Source Port/Identifier

Ports that were last used by the RADIUS server for authentication.

The fields in the output are mapped to Simple Network Management Protocol (SNMP) objects in the CISCO-RADIUS-EXT-MIB and are used in SNMP reporting. The first line of the report is mapped to the CISCO-RADIUS-EXT-MIB as follows:

Maximum inQ length maps to creClientTotalMaxInQLength

Maximum waitQ length maps to creClientTotalMaxWaitQLength

Maximum doneQ length maps to creClientTotalMaxDoneQLength

The field "Both" in the output can be derived from the authentication and accounting MIB objects. The calculation formula for each field, as displayed in the output, is given in the table below.

Table 38 Calculation Formula for the Both field in show radius statistics Command Output

Mapping the following set of objects listed in the CISCO-RADIUS-EXT-MIB map to fields displayed by the
showradiusstatisticscommand is straightforward. For example, the creClientLastUsedSourcePort field corresponds to the Last used Source Port/Identifier portion of the report, creAuthClientBufferAllocFailures corresponds to the Buffer Allocation Failures for authentication packets, creAcctClientBufferAllocFailure corresponds to the Buffer Allocation Failures for accounting packets, and so on.

creClientTotalMaxInQLength

creClientTotalMaxWaitQLength

creClientTotalMaxDoneQLength

creClientTotalAccessRejects

creClientTotalAverageResponseDelay

creClientSourcePortRangeStart

creClientSourcePortRangeEnd

creClientLastUsedSourcePort

creClientLastUsedSourceId

creAuthClientBadAuthenticators

creAuthClientUnknownResponses

creAuthClientTotalPacketsWithResponses

creAuthClientBufferAllocFailures

creAuthClientTotalResponses

creAuthClientTotalPacketsWithoutResponses

creAuthClientAverageResponseDelay

creAuthClientMaxResponseDelay

creAuthClientMaxBufferSize

creAuthClientTimeouts

creAuthClientDupIDs

creAuthClientMalformedResponses

creAuthClientLastUsedSourceId

creAcctClientBadAuthenticators

creAcctClientUnknownResponses

creAcctClientTotalPacketsWithResponses

creAcctClientBufferAllocFailures

creAcctClientTotalResponses

creAcctClientTotalPacketsWithoutResponses

creAcctClientAverageResponseDelay

creAcctClientMaxResponseDelay

creAcctClientMaxBufferSize

creAcctClientTimeouts

creAcctClientDupIDs

creAcctClientMalformedResponses

creAcctClientLastUsedSourceId

To locate and download MIBs for selected platforms, Cisco IOS releases, and feature sets, use Cisco MIB Locator found at the following URL:
http:/​/​www.cisco.com/​go/​mibs .

Related Commands

Command

Description

radius-serverhost

Specifies a RADIUS server host.

radius-serverretransmit

Specifies how many times the Cisco IOS software searches the list of RADIUS server hosts before giving up.

radius-servertimeout

Sets the interval for which a router waits for a server host to reply.

show radius table attributes

To display a list of all attributes supported by the RADIUS subsystem, use the
showradiustableattributes command in user EXEC or privileged EXEC mode.

showradiustableattributes

Syntax Description

This command has no arguments or keywords.

Command Modes

User EXEC (>)
Privileged EXEC (#)

Command History

Release

Modification

12.2(33)SRA

This command was introduced.

Usage Guidelines

This command enables you to verify that a required RADIUS attribute is supported in a specific release.

Examples

The following example displays the complete table attribute list from the
showradiustableattributes command.

The RADIUS Attribute 5 (NAS-Port) format specified on a per-server group level. The format is Ulong.

Service-Type

Sets the service type. The format is Enum.

Framed-Protocol

Indicates the framing to be used for framed access. It may be used in both Access-Request and Access-Accept packets. The format is Enum.

Framed-IP-Address

Indicates the address to be configured for the user. It may be used in Access-Accept packets. The format is IPv4 Address.

Framed-IP-Netmask

Indicates the IP netmask to be configured for the user when the user is a router to a network. The format is IPv4 Address.

Framed-Routing

Indicates the routing method for the user when the user is a router to a network. The format is Ulong.

Filter-Id

To disable, enable, get, or set a filter, the filter ID must be valid. The format is Binary.

Framed-MTU

Indicates the maximum transmission unit to be configured for the user, when it is not negotiated by some other means (such as PPP). The format is Ulong.

Framed-Compression

Indicates a compression protocol to be used for the link. The format is Enum.

login-ip-addr-host

Indicates the host to which the user will connect when the Login-Service attribute is included. The format is IPv4 Address.

Login-Service

The Login-IP-Host AVP (AVP Code 14) is of type Address and contains the system with which to connect the user, when the Login-Service AVP is included. The format is Enum.

login-tcp-port

The Login-TCP-Port AVP (AVP Code 16) is of type Integer32 and contains the TCP port with which the user is to be connected, when the Login-Service AVP is also present. The format is Ulong.

Reply-Message

Indicates text that may be displayed to the user. The format is Binary.

Callback-Number

Indicates a dialing string to be used for callback. The format is String.

Framed-Route

Provides routing information to be configured for the user on the NAS. The format is String.

Framed-IPX-Network

The Framed-IPX-Network AVP (AVP Code 23) is of type Unsigned32, and contains the IPX Network number to be configured for the user. The format is Pv4 Address.

State

Is available to be sent by the server to the client in an Access-Challenge and must be sent unmodified from the client to the server in the new Access-Request reply to that challenge, if any. The format is Binary.

Class

Is available to be sent by the server to the client in an Access-Accept and should be sent unmodified by the client to the accounting server as part of the Accounting-Request packet if accounting is supported. The format is Binary.

Vendor-Specific

Is available to allow vendors to support their own extended attributes not suitable for general usage. The format is Binary.

Session-Timeout

Sets the maximum number of seconds of service to be provided to the user before termination of the session or prompt. The format is Ulong.

Idle-Timeout

Sets the maximum number of consecutive seconds of idle connection allowed to the user before termination of the session or prompt. The format is Ulong.

Termination-Action

Indicates what action the NAS should take when the specified service is completed. The format is Boolean.

Called-Station-Id

The Called-Station-Id AVP (AVP Code 30) is of type String and allows the NAS to send in the request the phone number that the user called, using Dialed Number Identification (DNIS) or a similar technology. The format is String.

Calling-Station-Id

The Calling-Station-Id AVP (AVP Code 31) is of type String and allows the NAS to send in the request the phone number that the call came from, using Automatic Number Identification (ANI) or a similar technology. The format is String.

Nas-Identifier

Contains a string identifying the NAS originating the access request. The format is String.

Acct-Status-Type

Indicates whether this Accounting-Request marks the beginning of the user service (Start) or the end (Stop). The format is Enum.

Acct-Delay-Time

Indicates how many seconds the client has been trying to send this record for, and can be subtracted from the time of arrival on the server to find the approximate time of the event generating this Accounting-Request. (Network transit time is ignored.) The format is Ulong.

Acct-Input-Octets

Indicates how many octets have been received from the port over the course of this service being provided, and can only be present in Accounting-Request records where Acct-Status-Type is set to Stop. The format is Ulong.

Acct-Output-Octets

Indicates how many octets have been sent to the port in the course of delivering this service, and can only be present in Accounting-Request records where Acct-Status-Type is set to Stop. The format is Ulong.

Acct-Session-Id

Is a unique accounting ID to make it easy to match start and stop records in a log file. The format is String.

Acct-Authentic

Indicate how the user was authenticated, whether by Radius, the NAS itself, or another remote authentication protocol. It may be included in an Accounting-Request. The format is Enum.

Acct-Session-Time

Indicates how many seconds the user has received service for, and can only be present in Accounting-Request records where Acct-Status-Type is set to Stop. The format is Ulong.

Acct-Input-Packets

Indicates how many packets have been received from the port over the course of this service being provided to a framed user, and can only be present in Accounting-Request records where Acct-Status-Type is set to Stop. The format is Ulong.

Acct-Output-Packets

Indicates how many packets have been sent to the port in the course of delivering this service to a framed user, and can only be present in Accounting-Request records where Acct-Status-Type is set to Stop. The format is Ulong.

Acct-Terminate-Cause

Indicates how the session was terminated, and can only be present in Accounting-Request records where Acct-Status-Type is set to Stop. The format is Enum.

Multilink-Session-ID

Indicates the service to use to connect the user to the login host. It is only used in Access-Accept packets. The format is String.

Acct-Link-Count

Gives the count of links which are known to have been in a given multilink session at the time the accounting record is generated. The format is Ulong.

Acct-Input-Giga-Words

Indicates how many times the Acct-Input-Octets counter has wrapped around 2^32 over the course of this service being provided, and can only be present in Accounting-Request records where the Acct-Status-Type is set to Stop or Interim-Update. The format is Ulong.

Acct-Output-Giga-Words

Indicates how many times the Acct-Output-Octets counter has wrapped around 2^32 in the course of delivering this service, and can only be present in Accounting-Request records where the Acct-Status-Type is set to Stop or Interim-Update. The format is Ulong.

Event-Timestamp

Use to include the Event-Timestamp attribute in Acct-Start or Acct-Stop messages. The format is Ulong.

CHAP-Challenge

The CHAP is used to verify periodically the identity of the peer using a 3-way handshake. The format is Binary.

NAS-Port-Type

Indicates the physical port number of the NAS which is authenticating the user. The format is Enum.

Port-Limit

Sets the maximum number of ports to be provided to the user by the NAS. The format is Ulong.

Tunnel-Type

Indicates the tunneling protocol(s) to be used (in the case of a tunnel initiator) or the the tunneling protocol in use (in the case of a tunnel terminator). The format is Enum.

Tunnel-Medium-Type

Indicates which transport medium to use when creating a tunnel for those protocols (such as L2TP) that can operate over multiple transports. The format is Enum.

Tunnel-Client-Endpoint

Contains the address of the initiator end of the tunnel. The format is String.

Tunnel-Server-Endpoint

Indicates the address of the server end of the tunnel. The format is String.

Acct-Tunnel-Connection

Indicates the identifier assigned to the tunnel session. The format is String.

Tunnel-Password

Can contain a password to be used to authenticate to a remote server. The format is Binary.

Prompt

Used only in Access-Challenge packets, and indicates to the NAS whether it should echo the user's response as it is entered, or not echo it. The format is Enum.

Connect-Info

Is sent from the NAS to indicate the nature of the user's connection. The format is String.

EAP-Message

Encapsulates Extensible Authentication Protocol packets so as to allow the NAS to authenticate dial-in users via EAP without having to understand the protocol. The format is Binary.

Message-Authenticator

Can be used to authenticate and integrity-protect Access-Requests in order to prevent spoofing. The format is Binary.

Tunnel-Private-Group-Id

Indicates the group ID for a particular tunneled session. The format is String.

Tunnel-Assignment-Id

Used to indicate to the tunnel initiator the particular tunnel to which a session is to be assigned. The format is String.

Tunnel-Preference

Should be included in each set to indicate the relative preference assigned to each tunnel if more than one set of tunneling attributes is returned by the RADIUS server to the tunnel initiator. The format is Ulong.

Acct-Interim-Interval

Indicates the number of seconds between each interim update in seconds for this specific session. The format is Ulong.

Tunnel-Packets-Lost

Indicates the number of packets lost on a given link. The format is Ulong.

NAS-Port-Id

Used to identify the IEEE 802.1X Authenticator port which authenticates the Supplicant. The format is String.

Tunnel-Client-Auth-ID

Specifies the name used by the tunnel initiator during the authentication phase of tunnel establishment. The format is String.

Tunnel-Server-Auth-ID

Specifies the name used by the tunnel terminator during the authentication phase of tunnel establishment. The format is String.

Framed-Interface-Id

Indicates the IPv6 interface identifier to be configured for the user. The format is Binary.

Framed-IPv6-Prefix

Indicates an IPv6 prefix (and corresponding route) to be configured for the user. The format is Binary.

Framed-IPv6-Route

Provides routing information to be configured for the user on the NAS. The format is String.

Framed-IPv6-Pool

Contains the name of an assigned pool that should be used to assign an IPv6 prefix for the user. The format is String.

Dynamic-Author-Error-Cause

Specifies the error causes associated with dynamic authorization. The format is Enum.

Old-Password

Is 16 octets in length. It contains the encrypted Lan Manager hash of the old password. The format is Binary.

Ascend-Filter-Required

Specifies whether the call should be permitted if the specified filter is not found. If present, this attribute will be applied after any authentication, authorization, and accounting (AAA) filter method-list. The format is Enum.

Ascend-Cache-Refresh

Specifies whether cache entries should be refreshed each time an entry is referenced by a new session. This attribute corresponds to the
cacherefresh command. The format is Enum.

Ascend-Cache-Time

Specifies the idle time out, in minutes, for cache entries. This attribute corresponds to the
cacheclearage command. The format is Ulong.

Ascend-Auth-Type

Indicates the type of name and password (PPP) authorization to use. The format Ulong.

Ascend-Redirect-Number

Indicates the original number in the information sent to the authentication server when the number dialed by a device is redirected to another number for authentication. The format is String.

Ascend-Private-Route

Specifies whether IP routing is allowed for the user profile. The format is String.

Ascend-Shared-Profile-Enable

Specifies whether multiple incoming callers can share a single RADIUS user profile. The format is Boolean.

Ascend-Client-Primary-DNS

Specifies a primary DNS server address to send to any client connecting to the MAX TNT. The format is IPv4 Address.

Ascend-Client-Secondary-DNS

Specifies a secondary DNS server address to send to any client connecting to the MAX TNT. The format is IPv4 Address.

Ascend-Client-Assign-DNS

Specifies whether or not the MAX TNT sends the Ascend-Client-Primary-DNS and Ascend-Client-Secondary-DNS values during connection negotiation. The format is Ulong.

Ascend-Session-Svr-Key

Specifies the session key that identifies the user session. You can specify up to 16 characters. The default value is null. The format is String.

Ascend-Multicast-Rate-Limit

Specifies how many seconds the MAX waits before accepting another packet from the multicast client. The format is Ulong.

Ascend-Multicast-Client

Specifies whether the user is a multicast client of the MAX. The format is Ulong.

Ascend-Multilink-Session-ID

Specifies the ID number of the Multilink bundle when the session closes. A Multilink bundle is a multichannel MP or MP+ call. The format is Ulong.

Ascend-Num-In-Multilink

Indicates the number of sessions remaining in a Multilink bundle when the session closes. A Multilink bundle is a multichannel MP or MP+ call. The format is Ulong.

Ascend-Presession-Octets-In

Reports the number of octets received before authentication. The value reflects only the data delivered by PPP or other encapsulation. It does not include the header or other protocol-dependent components of the packet. The format is Ulong.

Ascend-Presession-Octets-Out

Reports the number of octets transmitted before authentication. The value reflects only the data delivered by PPP or other encapsulation. It does not include the header or other protocol-dependent components of the packet. The format is Ulong.

Ascend-Presession-Packets-In

Reports the number of packets received before authentication. The packets are counted before the encapsulation is removed. The attribute's value does not include maintenance packets, such as keepalive or management packets. The format is Ulong.

Ascend-Presession-Packets-Out

Reports the number of packets transmitted before authentication. The packets are counted before the encapsulation is removed. The attribute's value does not include maintenance packets, such as keepalive or management packets. The format is Ulong.

Ascend-Max-Time

Specifies the maximum length of time in seconds that any session can remain online. Once a session reaches the time limit, its connection goes offline. The format is Ulong.

Ascend-Disconnect-Cause

Indicates the reason a connection went offline. The format is Enum.

Ascend-Connection-Progress

Indicates the state of the connection before it disconnects. The format is Enum.

Ascend-Data-Rate

Specifies the rate of data received on the connection in bits per second. The format is Ulong.

Ascend-Presession-Time

Reports the length of time in seconds from when a call connected to when it completes authentication. The format is Ulong.

Specifies the number of days that a password is valid. The format is Ulong.

Ascend-IP-Direct

Specifies the IP address to which the MAX TNT redirects packets from the user. When you include this attribute in a user profile, the MAX TNT bypasses all internal routing tables, and simply sends all packets it receives on the connection's WAN interface to the specified IP address. The format is IPv4 Address.

Ascend-PPP-VJ-Slot-Comp

Instructs the MAX TNT to not use slot compression when sending VJ-compressed packets. The format is Boolean.

Ascend-Asyncmap

The format is Ulong.

Ascend-Send-Secret

Specifies the password that the RADIUS server sends to the remote end of a connection on an outgoing call. It is encrypted when passed between the RADIUS server and the MAX TNT. The format is Binary.

Ascend_pool_definition

Specifies all the addresses in the pool. The format is String.

Ascend-IP-Pool

Specifies the first address in an IP address pool, as well as the number of addresses in the pool. The format is Ulong.

Ascend-Dial-Number

Specifies the phone number the MAX TNT dials to reach the router or node at the remote end of the link. The format is String.

Ascend-Route-IP

Specifies whether IP routing is allowed for the user profile. The format is Boolean.

Ascend-Send-Auth

Specifies the authentication protocol that the MAX TNT requests when initiating a PPP or MP+ connection. The answering side of the connection determines which authentication protocol, if any, the connection uses. The format is Enum.

Ascend-Link-Compression

Turns data compression on or off for a PPP link. The format is Enum.

Ascend-Target-Util

Specifies the percentage of bandwidth use at which the MAX TNT adds or subtracts bandwidth. The format is Ulong.

Ascend-Max-Channels

Specifies the maximum number of channels allowed on an MP+ call. The format is Ulong.

Ascend-Data-Filter

Specifies the characteristics of a data filter in a RADIUS user profile. The MAX TNT uses the filter only when it places or receives a call associated with the profile that includes the filter definition. The format is Binary.

Ascend-Call-Filter

Specifies the characteristics of a call filter in a RADIUS user profile. The MAX TNT uses the filter only when it places a call or receives a call associated with the profile that includes the filter definition. The format is Binary.

Ascend-Idle-Limit

Specifies the number of seconds the MAX TNT waits before clearing a call when a session is inactive. The format is Ulong.

Ascend-Data-Service

Specifies the type of data service the link uses for outgoing calls. The format is Ulong.

Ascend-Force-56

Indicates whether the MAX uses only the 56-kbps portion of a channel, even when all 64-kbps appear to be available. The format is Ulong.

Ascend-Xmit-Rate

Specifies the rate of data transmitted on the connection in bits per second. For ISDN calls, Ascend-Xmit-Rate indicates the transmit data rate. For analog calls, it indicates the modem baud rate at the time of the initial connection. The format is Ulong.

Cisco AVpair

The Cisco RADIUS implementation supports one vendor-specific option using the format recommended in the specification. Cisco's vendor-ID is 9, and the supported option has vendor-type 1, which is named "cisco-avpair". The format is String.

cisco-nas-port

Enables the display of physical interface information and parent interface details as part of the of the cisco-nas-port vendor-specific attribute (VSA) for login calls. The format is String.

fax_account_id_origin

Indicates the account ID origin as defined by system administrator for the
mmoipaaareceive-id or the
mmoipaaasend-id command. The format is String.

fax_msg_id

Indicates a unique fax message identification number assigned by Store and Forward Fax. The format is String.

fax_pages

Indicates the number of pages transmitted or received during this fax session. This page count includes cover pages. The format is String.

fax_modem_time

Indicates the amount of time in seconds the modem sent fax data (x) and the amount of time in seconds of the total fax session (y), which includes both fax-mail and PSTN time, in the form x/y. For example, 10/15 means that the transfer time took 10 seconds, and the total fax session took 15 seconds. The format is String.

fax_connect_speed

Indicates the modem speed at which this fax-mail was initially transmitted or received. Possible values are 1200, 4800, 9600, and 14400. The format is String.

fax_mdn_address

Indicates the address to which message delivery notifications (MDNs) will be sent. The format is String.

fax_mdn_flag

Indicates whether or not MDNs has been enabled. True indicates that MDN had been enabled; false means that MDN had not been enabled. The format is String.

fax_auth_status

Indicates whether or not authentication for this fax session was successful. Possible values for this field are success, failed, bypassed, or unknown. The format is String.

email_server_address

Indicates the IP address of the e-mail server handling the on-ramp fax-mail message. The format is String.

email_server_ack_flag

Indicates that the on-ramp gateway has received a positive acknowledgment from the e-mail server accepting the fax-mail message. The format is String.

gateway_id

Indicates the name of the gateway that processed the fax session. The name appears in the following format: hostname.domain-name. The format is String.

call_type

Describes the type of fax activity: fax receive or fax send. The format is String.

port_used

Indicates the slot/port number of the Cisco AS5300 used to either transmit or receive this fax-mail. The format is String.

abort_cause

If the fax session aborts, indicates the system component that signaled the abort. Examples of system components that could trigger an abort are FAP (Fax Application Process), TIFF (the TIFF reader or the TIFF writer), fax-mail client, fax-mail server, ESMTP client, or ESMTP server. The format is String.

h323-remote-address

Indicates the IP address of the remote gateway. The format is String.

Conf-Id

Indicates a unique call identifier generated by the gateway. Used to identify the separate billable events (calls) within a single calling session. The format is String.

Indicates the Q.931 disconnect cause code retrieved from CCAPI. The source of the code is the disconnect location such as a PSTN, terminating gateway, or SIP. The format is String.

h323-voice-quality

Indicates the ICPIF of the voice quality. The format is String.

h323-gw-id

Indicate the name of the tenor. The format is String.

Cisco AVpair

The Cisco RADIUS implementation supports one vendor-specific option using the format recommended in the specification. Cisco's vendor-ID is 9, and the supported option has vendor-type 1, which is named "cisco-avpair". The format is String.

Cisco encrypted string vsa

Cisco allows several forms of sub-attribute encryption. The only method supported is the Cisco Encrypted String VSA Format also supported by an IETF draft for Salt-Encryption of RADIUS attributes. The format is String.

Sub_Policy_In

Defines the service policy input. The format is String.

Sub_Policy_Out

Defines the service policy output. The format is String.

h323-credit-amount

Indicates the amount of credit (in currency) that the account contains. The format is String.

h323-credit-time

Indicates the number of seconds for which the call is authorized. The format is String.

h323-return-code

Return codes are instructions from the RADIUS server to the voice gateway. The format is String.

h323-prompt-id

Indexes into an array that selects prompt files used at the gateway. The format is String.

h323-time-and-day

Indicates the time of day at the dialed number or at the remote gateway in the format: hour, minutes, seconds. The format is String.

h323-redirect-number

Indicates the phone number to which the call is redirected; for example, to a toll-free number or a customer service number. The format is String.

h323-preferred-lang

Indicates the language to use when playing the audio prompt specified by the h323-prompt-id. The format is String.

h323-redirect-ip-address

Indicates the IP address for an alternate or redirected call. The format is String.

h323-billing-model

Indicates the type of billing service for a specific call. The format is String.

h323-currency

Indicates the currency to use with h323-credit-amount. The format is String.

ssg-account-info

Subscribes the subscriber to the specified service and indicates that the subscriber should be automatically connected to this service after successful logon. The format is String.

ssg-service-info

SSG redirects the user's HTTP traffic to a server in the specified server group. All the service features (such as quality of service (QoS) and prepaid billing) are applied to the HTTP traffic. The format is String.

ssg-command-code

Specifies account logon and logoff, session query, and service activate and deactivate information. The format is Binary.

ssg-control-info

Indicates the control-info code for prepaid quota. The format is String.

MS-CHAP-Response

This attribute contains the response value provided by a PPP Microsoft Challenge-Handshake Authentication Protocol (MS-CHAP) user in response to the challenge. The format is Binary.

MS-CHAP-ERROR

Contains error data related to the preceding MS-CHAP exchange. The format is Binary.

MS-CHAP-CPW-1

Allows the user to change their password if it has expired. The format is Binary.

MS-CHAP-CPW-2

Allows the user to change their password if it has expired. The format is Binary.

MS-CHAP-LM-Enc-PW

Contains the new Windows NT password encrypted with the old LAN Manager password hash. The format is Binary.

MS-CHAP-NT-Enc-PW

Contains the new Windows NT password encrypted with the old Windows NT password hash. The format is Binary.

MS-MPPE-Enc-Policy

The MS-MPPE-Encryption-Policy attribute may be used to signify whether the use of encryption is allowed or required. The format is Binary.

MS-MPPE-Enc-Type

The MS-MPPE-Encryption-Types attribute is used to signify the types of encryption available for use with Microsoft Point-to-Point Encryption (MPPE). The format is Binary.

MS-RAS-Vendor

Used to indicate the manufacturer of the RADIUS client machine. The format is Binary.

MS-CHAP-DOMAIN

Indicates the Windows NT domain in which the user was authenticated. The format is Binary.

MSCHAP_Challenge

Contains the challenge sent by a NAS to a MS-CHAP user. The format is Binary.

MS-CHAP-MPPE-Keys

Contains two session keys for use by the MPPE. The format is Binary.

MS-BAP-Usage

Describes whether the use of Bandwidth Allocation Protocol (BAP) is allowed, disallowed or required on new multilink calls. The format is Binary.

MS-Link-Util-Thresh

Represents the percentage of available bandwidth utilization below which the link must fall before the link is eligible for termination. The format is Binary.

MS-Link-Drop-Time-Limit

Indicates the length of time (in seconds) that a link must be underutilized before it is dropped. The format is Binary.

MS-MPPE-Send-Key

Contains a session key for use by the MPPE. The format is Binary.

MS-MPPE-Recv-Key

Contains a session key for use by the MPPE. The format is Binary.

MS-RAS-Version

Used to indicate the version of the RADIUS client software. The format is Binary.

MS-Old-ARAP-Password

Used to transmit the old Apple Remote Access Protocol (ARAP) password during an ARAP password change operation. The format is Binary.

New-ARAP-Password

Used to transmit the new ARAP password during an ARAP password change operation. The format is Binary.

MS-ARAP-PW-Change-Reason

Used to indicate reason for a server-initiated password change. The format is Binary.

MS-Filter

Used to transmit traffic filters. The format is Binary.

MS-Acct-Auth-Type

Used to represent the method used to authenticate the dial-up user. The format is Binary.

MS-MPPE-EAP-Type

Used to represent the EAP type used to authenticate the dial-up user. The format is Binary.

MS-CHAP-V2-Response

This attribute is identical in format to the standard CHAP Response packet. The format is Binary.

MS-CHAP-V2-Success

Contains a 42-octet authenticator response string and must be included in the Message field packet sent from the NAS to the peer. The format is Binary.

MS-CHAP-CPW-2

Allows the user to change their password if it has expired. The format is Binary.

MS-Primary-DNS

Used to indicate the address of the primary DNS server to be used by the PPP peer. The format is IPv4 Address.

MS-Secondary-DNS

Used to indicate the address of the secondary DNS server to be used by the PPP peer. The format is IPv4 Address.

MS-1st-NBNS-Server

Used to indicate the address of the primary NetBIOS Name Server (NBNS) server to be used by the PPP peer. The format is IPv4 Address.

MS-2nd-NBNS-Server

Used to indicate the address of the secondary NBNS server to be used by the PPP peer. The format is IPv4 Address.

MS-ARAP-Challenge

Only present in an Access-Request packet containing a Framed-Protocol Attribute with the value 3 (ARAP). The format is Binary.

Charging-ID

Generated for each activated context. It is a unique four octet value generated by the GGSN when a PDP Context is activated. The format is Ulong.

PDP Type

Indicates the Packet Data Protocol (PDP) is to be used by the mobile for a certain service. The format is Enum.

Charging-Gateway-Address

The IP address of the recommended Charging Gateway Functionality to which the SGSN should transfer the Charging Detail Records (CDR) for this PDP Context. The format is IPv4 Address.

GPRS-QoS-Profile

Controls the QoS negotiated values. The format is String.

SGSN-Address

This is the IP address of the SGSN that is used by the GTP control plane for handling control messages. The format is IPv4 Address.

GGSN-Address

IP address of the GGSN that is used by the GTP control plane for the context establishment. This address is the same as the GGSN IP address used in G-CDRs. The format is IPv4 Address.

IMSI-MCC-MNC

The MCC and MNC extracted from the user's IMSI number (the first 5 or 6 digits depending on the IMSI). The format is String.

GGSN-MCC-MNC

The MCC and MNC of the network to which the GGSN belongs. The format is String.

NSAPI

Identifies a particular PDP context for the associated PDN and MSISDN/IMSI from creation to deletion. The format is String.

Session-Stop-Ind

Indicates to the AAA server that the last PDP context of a session is released and that the PDP session has been terminated. The format is Binary

Selection-Mode

Contains the selection mode for this PDP Context received in the Create PDP Context Request Message. The format is String.

Charging-Characteristics

Contains the charging characteristics for this PDP Context received in the Create PDP Context Request Message (only available in R99 and later releases). The format is String.

cdma-reverse-tnl-spec

Indicates the style of reverse tunneling that is required, and optionally appears in a RADIUS Access-Accept message. The format is Ulong.

cdma-diff-svc-class-opt

This attribute is deprecated and is replaced by the Allowed Differentiated Services Marking attribute. The Home RADIUS server authorizes differentiated services via the Differentiated Services Class Options attribute, and optionally appears in a RADIUS Access-Accept message. The format is Ulong.

A Home Agent (HA) IP address used during a MIP session by the user as defined in IETF RFC 2002. The format is IPv4 Address.

cdma-pcf-ip-addr

The IP address of the serving PCF (the PCF in the serving RN). The format is IPv4 Address.

cdma-bs-msc-addr

The Base Station (BS) Mobile Switching Center (MSC) address. The format is String.

cdma-user-id

The name of the user on the system. The format is Ulong.

cdma-forward-mux

Forwards FCH multiplex option. The format is Ulong.

cdma-reverse-mux

Reverses FCH multiplex option. The format is Ulong.

cdma-forward-rate

The format and structure of the radio channel in the forward Dedicated Control Channel. A set of forward transmission formats that are characterized by data rates, modulation characterized, and spreading rates. The format is Ulong.

cdma-reverse-rate

The format and structure of the radio channel in the reverse Dedicated Control Channel. A set of reverse transmission formats that are characterized by data rates, modulation characterized, and spreading rates. The format is Ulong.

cdma-service-option

Code Division Multiple Access (CDMA) service option as received from the RN. The format is Ulong.

cdma-forward-type

Forward direction traffic type. It is either Primary or Secondary. The format is Ulong.

cdma-reverse-type

Reverse direction traffic type. It is either Primary or Secondary. The format is Ulong.

The format and structure of the radio channel in the forward FCH. A set of forward transmission formats that are characterized by data rates, modulation characterized, and spreading rates. The format is Ulong.

cdma-reverse-rc

The format and structure of the radio channel in the reverse FCH. A set of reverse transmission formats that are characterized by data rates, modulation characterized, and spreading rates. The format is Ulong.

cdma-ip-tech

Identifies the IP technology to use for the call: Simple IP or Mobile IP. The format is Ulong.

cdma-comp-flag

Indicates the type of compulsory tunnel. The format is Ulong.

cdma-reason-ind

Indicates the reasons for a stop record. The format is Ulong.

cdma-bad-frame-count

The total number of PPP frames from the MS dropped by the Packet Data Serving Node (PDSN) due to uncorrectable errors. The format is Ulong.

cdma-num-active

The number of active transitions. The format is Ulong.

cdma-sdb-input-octets

This is the Short Data Burst (SDB) octet count reported by the RN in the SDB Airlink Record. The format is Ulong.

cdma-sdb-output-octets

The SDB octet count reported by the RN in the SDB Airlink Record. The format is Ulong.

cdma-numsdb-input

The number of terminating SDBs. The format is Ulong.

cdma-numsdb-output

The number of originating SDBs. The format is Ulong.

cdma-ip-qos

Indicates the IP Quality of Service (QoS). The format is Ulong.

cdma-airlink-qos

Identifies Airlink Priority associated with the user. This is the user's priority associated with the packet data service. The format is Ulong.

The count of all octets received in the reverse direction by the High-Level Data Link Control (HDLC) layer in the PDSN. The format is Ulong.

cdma-correlation-id

Indicates a unique accounting ID created by the Serving PDSN for each packet data session that allows multiple accounting events for each associated R-P connection or P-P connection to be correlated.The format is String.

cdma-moip-inbound

This is the total number of octets in registration requests and solicitations sent by the MS. The format is Ulong.

cdma-moip-outbound

This is the total number of octets in registration replies and agent advertisements, sent to the MS. The format is Ulong.

cdma-session-continue

This attribute when set to "true" means it is not the end of a Session and an Accounting Stop is immediately followed by an Account Start Record. "False" means end of a session. The format is Ulong.

cdma-active-time

The total active connection time on traffic channel in seconds. The format is Ulong.

cdma-frame-size

Specifies the FSH frame size. The format is Ulong.

cdma-esn

Indicates the Electronic Serial Number (ESN). The format is String.

cdma-mn-ha-spi

The SPI for the MN-HA shared key that optionally appears in a RADIUS Access-Request message. It is used to request an MN-HA shared key. The format is Ulong.

cdma-mn-ha-shared-key

A shared key for MN-HA that may appear in a RADIUS Access-Accept message. The MN-HA shared key is encrypted using a method based on the RSA Message Digest Algorithm MD5 [RFC 1321] as described in Section 3.5 of RFC 2868. The format is Binary.

cdma-sess-term-capability

The value shall be bitmap encoded rather than a raw integer. This attribute shall be included in a RADIUS Access-Request message to the Home RADIUS server and shall contain the value 3 to indicate that the PDSN and HA support both Dynamic authorization with RADIUS and Registration Revocation for Mobile IPv4. The attribute shall also be included in the RADIUS Access-Accept message and shall contain the preferred resource management mechanism by the home network, which shall be used for the session and may include values 1 to 3. The format is Ulong.

cdma-disconnect-reason

Indicates the reason for disconnecting the user. This attribute may be included in a RADIUS Disconnect-Request message from Home RADIUS server to the PDSN. The format is Ulong.

mip-key-data

This is the key data payload containing the encrypted MN_AAA key, MN_HA key, CHAP key, MN_Authenticator, and AAA_Authenticator. The format is Binary.

aaa-authenticator

This is the 64-bit AAA_Authenticator value decrypted by the Home RADIUS AAA Server. The format is Binary.

public-key-invalid

The home RADIUS AAA Server includes this attribute to indicate that the Public key used by the MN is not valid. The format is Binary.

Related Commands

Command

Description

showradius

Displays information about the RADIUS servers that are configured in the system.

show redundancy application asymmetric-routing

To display asymmetric routing information for a redundancy group, use the
show redundancy application asymmetric-routing command in user EXEC or privileged EXEC mode.

The IP address of the asymmetric routing interface and the IP address of the peer asymmetric routing interface are displayed under the transport context.

Group ID

The identifier for the asymmetric routing redundancy group.

rii

The redundancy interface identifier.

Related Commands

Command

Description

redundancy application asymmetric-routing

Associates a redundancy group with an interface that is used for asymmetric routing.

show redundancy application control-interface group

To display control interface information for a redundancy group, use the showredundancyapplicationcontrol-interfacegroup command in privileged EXEC mode.

showredundancyapplicationcontrol-interfacegroup [group-id]

Syntax Description

group-id

(Optional) Redundancy group ID. Valid values are 1 and 2.

Command Modes

Privileged EXEC (#)

Command History

Release

Modification

Cisco IOS XE Release 3.1S

This command was introduced.

Cisco IOS XE Release 3.9S

This command was integrated into Cisco IOS XE Release 3.9S.

Usage Guidelines

The showredundancyapplicationcontrol-interfacecommand shows information for the redundancy group control interfaces.

Examples

The following is sample output from the showredundancyapplicationcontrol-interface command:

Router# show redundancy application control-interface group 2
The control interface for rg[2] is GigabitEthernet0/1/0
Interface is Control interface associated with the following protocols: 2 1
BFD Enabled
Interface Neighbors:

Examples

The following is a sample output from the showredundancyapplicationcontrol-interfacegroup command on Cisco 4400 Series ISR:

show redundancy application data-interface

To display data interface-specific information, use the showredundancyapplicationdata-interfacecommand in privileged EXEC mode.

showredundancyapplicationdata-interfacegroup [group-id]

Syntax Description

group

Specifies the redundancy group.

group-id

(Optional) Redundancy group ID. Valid values are 1 and 2.

Command Modes

Privileged EXEC (#)

Command History

Release

Modification

Cisco IOS XE Release 3.1S

This command was introduced.

Cisco IOS XE Release 3.9S

This command was integrated into Cisco IOS XE Release 3.9S.

Usage Guidelines

The showredundancyapplicationdata-interface command displays information about the redundancy group data interfaces.

Examples

The following is sample output from the showredundancyapplicationdata-interface command:

Router# show redundancy application data-interface group 1
The data interface for rg[1] is GigabitEthernet0/1/1

Examples

The following sample output shows configuration details for redundancy application group 1 and group 2 from the showredundancyapplicationdata-interface command

Router# show redundancy application data-interface group 1
The data interface for rg[1] is GigabitEthernet0/0/1
Router # show redundancy application data-interface group 2
The data interface for rg[2] is GigabitEthernet0/0/1

Related Commands

Command

Description

showredundancyapplicationcontrol-interface

Displays control interface information for a redundancy group.

showredundancyapplicationfaults

Displays fault-specific information for a redundancy group.

showredundancyapplicationgroup

Displays redundancy group information.

showredundancyapplicationif-mgr

Displays if-mgr information for a redundancy group.

showredundancyapplicationprotocol

Displays protocol-specific information for a redundancy group.

show redundancy application faults group

To display fault-specific information for a redundancy group, use the
showredundancyapplicationfaultsgroupcommand in privileged EXEC mode.

showredundancyapplicationfaultsgroup [group-id]

Syntax Description

group-id

(Optional) Redundancy group ID. Valid values are 1 and 2.

Command Modes

Privileged EXEC (#)

Command History

Release

Modification

Cisco IOS XE Release 3.1S

This command was introduced.

Cisco IOS XE Release 3.9S

This command was integrated into Cisco IOS XE Release 3.9S.

Usage Guidelines

The
showredundancyapplicationfaultscommand shows information returned by redundancy group faults.

Examples

The following is sample output from the
showredundancyapplicationfaults command:

Router# show redundancy application faults group 2
Faults states Group 2 info:
Runtime priority: [150]
RG Faults RG State: Up.
Total # of switchovers due to faults: 2
Total # of down/up state changes due to faults: 2

Examples

The following is a sample output from the showredundancyapplicationfaults command

Router# show redundancy application faults group
Faults states Group 1 info:
Runtime priority: [50]
RG Faults RG State: Up.
Total # of switchovers due to faults: 0
Total # of down/up state changes due to faults: 2
Faults states Group 2 info:
Runtime priority: [135]
RG Faults RG State: Up.
Total # of switchovers due to faults: 0
Total # of down/up state changes due to faults: 2

Table 41 show redundancy application group all Field Descriptions

Field

Description

Faults states Group 1 info

Redundancy group faults information for Group 1.

Runtime priority

Current redundancy group priority of the group. This field is important when monitoring redundancy group switchover and when configuring interface tracking.

RG Faults RG State

Redundancy group state returned by redundancy group faults.

Total # of switchovers due to faults

Number of switchovers triggered by redundancy group fault events.

Total # of down/up state changes due to faults

Number of down and up state changes triggered by redundancy group fault events.

Related Commands

Command

Description

showredundancyapplicationcontrol-interface

Displays control interface information for a redundancy group.

showredundancyapplicationgroup

Displays redundancy group information.

showredundancyapplicationif-mgr

Displays if-mgr information for a redundancy group.

showredundancyapplicationprotocol

Displays protocol-specific information for a redundancy group.

show redundancy application group

To display the redundancy group information, use the
showredundancyapplicationgroup command in privileged EXEC mode.

showredundancyapplicationgroup
[ group-id | all ]

Syntax Description

group-id

(Optional) Redundancy group ID. Valid values are 1 and 2.

all

(Optional) Display information about all redundancy groups.

Command Modes

Privileged EXEC (#)

Command History

Release

Modification

Cisco IOS XE Release 3.1S

This command was introduced.

15.3(2)T

This command was integrated into Cisco IOS Release 15.3(2)T.

Cisco IOS XE Release 3.9S

This command was implemented on Cisco ISR 4400 Series Integration Service Routers.

Usage Guidelines

Use the
showredundancyapplicationgroup command to display the current state of each interbox redundancy group on the device and the peer device.

Examples

The following is sample out from the showredundancyapplicationgroup command:

The table below describes the significant fields shown in the display.

Table 42 show redundancy application group all Field Descriptions

Field

Description

Faults states Group 1 info

Redundancy group faults information for Group 1.

Runtime priority

Current priority of the redundancy group.

RG Faults RG State

Redundancy group state returned by redundancy group faults.

Total # of switchovers due to faults

Number of switchovers triggered by redundancy group fault events.

Total # of down/up state changes due to faults

Number of down and up state changes triggered by redundancy group fault events.

Group ID

Redundancy group ID.

Group Name

Redundancy group name.

Administrative State

Redundancy group state configured by users.

Aggregate operational state

Current redundancy group state.

My Role

Current role of the device.

Peer Role

Current role of the peer device.

Peer Presence

Indicates if the peer device is detected or not.

Peer Comm

Indicates the communication state with the peer device.

Peer Progression Started

Indicates if the peer device has started Redundancy Framework (RF) progression.

RF Domain

Name of the RF domain for the redundancy group.

Related Commands

Command

Description

showredundancyapplicationcontrol-interface

Displays control interface information for a redundancy group.

showredundancyapplicationfaults

Displays fault-specific information for a redundancy group.

showredundancyapplicationif-mgr

Displays if-mgr information for a redundancy group.

showredundancyapplicationprotocol

Displays protocol-specific information for a redundancy group.

show redundancy application if-mgr

To display interface manager information for a redundancy group, use the
showredundancyapplicationif-mgr command in privileged EXEC mode.

showredundancyapplicationif-mgrgroup [group-id]

Syntax Description

group

Specifies the redundancy group.

group-id

(Optional) Redundancy group ID. Valid values are 1 to 2.

Command Modes

Privileged EXEC (#)

Command History

Release

Modification

Cisco IOS XE Release 3.1S

This command was introduced.

Cisco IOS XE Release 3.9S

This command was integrated into Cisco IOS XE Release 3.99S.

Usage Guidelines

The
showredundancyapplicationif-mgr command shows information of traffic interfaces protected by redundancy groups. When a traffic interface is functioning with the redundancy group, the state is no shut on the active device, and shut on the standby device. On the other hand, it is always shut on the standby device.

Examples

The following sample output shows configuration details of redundancy group 1 and redudancy group 2 from the showredundancyapplicationif-mgr command

Related Commands

show running-config

To display the
contents of the current running configuration file or the configuration for a
specific module, Layer 2 VLAN, class map, interface, map class, policy map, or
virtual circuit (VC) class, use theshowrunning-config command in privileged EXEC mode.

showrunning-config [options]

Syntax Description

options

(Optional) Keywords used to customize output. You can enter more than one
keyword.

all--Expands the output to include the commands that
are configured with default parameters. If the
all keyword is
not used, the output does not display commands configured with default
parameters.

brief--Displays the configuration without
certification data and encrypted filter details. The
brief keyword
can be used with the
linenum
keyword.

class-map[name][linenum]--Displays class map information. The
linenum keyword
can be used with the
class-mapname option.

control-plane[cef-exception|host|transit]--Displays control-plane information.
Thecef-exception,
host, and
transit
keywords can be used with the
control-plane
option.

flow{exporter |
monitor |
record}--Displays global flow configuration
commands. The
exporter,
monitor, and
recordkeywords
can be used with the
flow option.

full--Displays the full configuration.

interfacetypenumber-- Displays interface-specific configuration information. If
you use the
interface
keyword, you must specify the interface type and the interface number (for
example,
interfaceethernet0). Keywords for common interfaces include
async,
ethernet,fastEthernet,
group-async,
loopback,
null,
serial, and
virtual-template. Use the
showruninterface?command to determine the interfaces available on
your system.

linenum--Displays line numbers in the output. The
brief or
full keyword
can be used with the
linenum
keyword. Thelinenumkeyword can be used with the
class-map,
interface,
map-class,
policy-map,
and
vc-class
keywords.

partitiontypes-- Displays the configuration corresponding to a
partition. The
types keyword
can be used with the
partitionoption.

policy-map [name][linenum]--Displays policy map information. The
linenum
keyword can be used with the
policy-mapname option.

vc-class [name] [linenum]--Displays VC-class information (the
display is available only on certain devices such as the Cisco 7500 series
devices). The
linenum
keyword can be used with the
vc-classname option.

viewfull--Enables the display of a full running
configuration. This is for view-based users who typically can only view the
configuration commands that they are entitled to access for that particular
view.

Command Default

The default
syntax,
showrunning-config, displays the contents of the
running configuration file, except commands configured using the default
parameters.

Command Modes

Privileged EXEC
(#)

Command History

Release

Modification

11.0

This
command was introduced.

12.0

This
command was replaced by the
moresystem:running-config command.

12.0(1)T

This
command was integrated into Cisco IOS Release 12.0(1)T, and the output modifier
(|) was added.

12.2(4)T

This
command was modified. The
linenum
keyword was added.

12.3(8)T

This
command was modified. The
viewfulloption was added.

12.2(14)SX

This
command was integrated into Cisco IOS Release 12.2(14)SX. The
modulenumber and
vlanvlan-id
keywords and arguments were added for the Supervisor Engine 720.

12.2(17d)SXB

This
command was integrated into Release 12.2(17d)SXB and implemented on the
Supervisor Engine 2.

12.2(33)SXH

This
command was modified. The
allkeyword
was added.

12.2(31)SB2

This
command was integrated into Cisco IOS Release 12.2(31)SB2. This command was
enhanced to display the configuration information for traffic shaping overhead
accounting for ATM and was implemented on the Cisco 10000 series device for the
PRE3.

12.2(33)SRC

This
command was integrated into Cisco IOS Release 12.2(33)SRC.

12.2(33)SB

This
command was modified. Support for the Cisco 7300 series device was added.

12.4(24)T

This
command was modified in a release earlier than Cisco IOS Release 12.4(24)T. The
partition and
vrf keywords
were added. The
module and
vlan keywords
were removed.

15.0(1)M

This
command was modified. The output was modified to include encrypted filter
information.

12.2(33)SXI

This
command was modified. The output was modified to display Access Control List
(ACL) information.

Usage Guidelines

The
showrunning-config command is technically a command
alias (substitute or replacement syntax) of the
moresystem:running-config command. Although the use of
more commands is recommended (because of their uniform structure across
platforms and their expandable syntax), the
showrunning-config command remains enabled to
accommodate its widespread use, and to allow typing shortcuts such as
showrun.

The
showrunning-configinterface command is useful when there are
multiple interfaces and you want to look at the configuration of a specific
interface.

The
linenum
keyword causes line numbers to be displayed in the output. This option is
useful for identifying a particular portion of a very large configuration.

You can enter
additional output modifiers in the command syntax by including a pipe character
(|) after the optional keyword. For example,
showrunning-configinterfaceserial2/1linenum|begin3. To display the output modifiers that are
available for a keyword, enter
|? after the
keyword. Depending on the platform you are using, the keywords and the
arguments for the
options
argument may vary.

Prior to Cisco
IOS Release 12.2(33)SXH, theshowrunning-configcommand output omitted configuration
commands set with default values. Effective with Cisco IOS Release 12.2(33)SXH,
the
showrunning-configall command displays complete configuration
information, including the default settings and values. For example, if the
Cisco Discovery Protocol (abbreviated as CDP in the output) hold-time value is
set to its default of 180:

The
showrunning-configcommand does not display this
value.

The
showrunning-configalldisplays the following output:
cdp holdtime 180.

If the Cisco
Discovery Protocol holdtime is changed to a nondefault value (for example,
100), the output of the
showrunning-config and
showrunning-configallcommands is the same; that is, the configured
parameter is displayed.

Note

In Cisco IOS
Release 12.2(33)SXH, the
allkeyword
expands the output to include some of the commands that are configured with
default values. In subsequent Cisco IOS releases, additional configuration
commands that are configured with default values will be added to the output of
the
showrunning-configallcommand.

In some cases,
you might see a difference in the duplex mode that is displayed between the
showinterfaces command and the
showrunning-config command. The duplex mode that is
displayed in the
showinterfaces command is the actual duplex mode that
the interface is running. The
showinterfaces command displays the operating mode of
an interface, and the
showrunning-config command displays the configured
mode of the interface.

The
showrunning-config command output for an interface
might display the duplex mode but no configuration for the speed. This output
indicates that the interface speed is configured as auto and that the duplex
mode that is displayed becomes the operational setting once the speed is
configured to something other than auto. With this configuration, it is
possible that the operating duplex mode for that interface does not match the
duplex mode that is displayed with the
showrunning-config command.

Examples

The following
example shows the configuration for serial interface 1. The fields are
self-explanatory.

In the following
sample output from the
showrunning-config command, the
shapeaveragecommand indicates that the traffic shaping
overhead accounting for ATM is enabled. The BRAS-DSLAM encapsulation type is
qinq and the subscriber line encapsulation type is snap-rbe based on the ATM
adaptation layer 5 (AAL5) service. The fields are self-explanatory

Related Commands

Specifies or modifies the bandwidth allocated for a class belonging to a policy
map, and enables ATM overhead accounting.

bootconfig

Specifies the device and filename of the configuration file from which the
device configures itself during initialization (startup).

configureterminal

Enters
global configuration mode.

copyrunning-configstartup-config

Copies
the running configuration to the startup configuration. (Command alias for the
copysystem:running-confignvram:startup-config command.)

shape

Shapes
traffic to the indicated bit rate according to the algorithm specified, and
enables ATM overhead accounting.

showinterfaces

Displays statistics for all interfaces configured on the device or access
server.

showpolicy-map

Displays the configuration of all classes for a specified service policy map or
all classes for all existing policy maps, and displays ATM overhead accounting
information, if configured.

showstartup-config

Displays the contents of NVRAM (if present and valid) or displays the
configuration file pointed to by the CONFIG_FILE environment variable. (Command
alias for the
more:nvramstartup-config command.)

show running-config vrf

To display the subset of the running configuration of a router that is linked to a specific VPN routing and forwarding (VRF) instance or linked to all VRFs configured on the router, use the
showrunning-configvrf command in privileged EXEC mode.

showrunning-configvrf [vrf-name]

Syntax Description

vrf-name

(Optional) Name of the VRF configuration that you want to display.

Command Default

If you do not specify the name of a VRF configuration, the running configurations of all VRFs on the router are displayed.

Command Modes

Privileged EXEC (#)

Command History

Release

Modification

12.2(28)SB

This command was introduced.

12.2(33)SRB

This command was integrated into Cisco IOS Release 12.2(33)SRB.

12.2(33)SXH

This command was integrated into Cisco IOS Release 12.2(33)SXH.

12.4(20)T

This command was integrated into Cisco IOS Release 12.4(20)T.

Cisco IOS XE Release 2.1

This command was integrated into Cisco IOS XE Release 2.1.

Cisco IOS XE Release 3.5S

This command was modified. The output of the command was modified to display the Network Address Translation (NAT) configuration.

Usage Guidelines

Use the
showrunning-configvrf command to display a specific VRF configuration or to display all VRF configurations on the router. To display the configuration of a specific VRF, specify the name of the VRF.

This command displays the following elements of the VRF configuration:

The VRF submode configuration.

The routing protocol and static routing configurations associated with the VRF.

The configuration of interfaces in the VRF, which includes the configuration of any owning controller and physical interface for a subinterface.

Examples

The following is sample output from the
showrunning-configvrf command. It includes a base VRF configuration for VRF vpn3 and Border Gateway Protocol (BGP) and Open Shortest Path First (OSPF) configurations associated with VRF vpn3.

The table below describes the significant fields shown in the display.

Table 46 show sasl profile all Field Descriptions

Field

Description

SASL profile

Indicates the name of the SASL profile.

Refs

Indicates the number of active sessions.

Mechs

Indicates the profile mechanisms configured.

client

Indicates the SASL client configured for the specified profile.

servers

Indicates the SASL server configured for the specified profile.

Related Commands

Command

Description

sasl

Configures SASL.

show secure bootset

To display the status of Cisco IOS image and configuration resilience, use the showsecurecommand in privileged EXEC mode.

showsecurebootset

Syntax Description

This command has no arguments or keywords.

Command Modes

Privileged EXEC (#)

Command History

Release

Modification

12.3(8)T

This command was introduced.

Usage Guidelines

Use the showsecurebootsetcommand, instead of the Cisco IOS directory listing dir command, to verify the existence of an image archive. This command also displays output that specifies whether the image or configuration archive is ready for an upgrade.

Examples

The following is sample output from the showsecurebootset command. The field descriptions are self-explanatory:

Command Modes

Command History

This command was introduced in a release earlier than Cisco IOS Release 15.0(1) on Cisco 3845 series routers.

Examples

The following is sample output from the showsmmcounters command. Fields in the output are self-explanatory.

Router# show smm counters
Number of non-matching packets processed - 0
Number of cache hits - 0
Number of cache misses - 0
Cache full instances - 0
Number of matching packets processed - 0
Number of matches for Stage0 - 0
Number of matches for Stage1 - 0
Number of matches for Stage2 - 0
Number of matches for Stage3 - 0
Number of signatures in signature database - 0

Shows the status of the NHRP MIB. "Enabled" indicates that the NHRP MIB is enabled. If the NHRP MIB was disabled, it would display "Disabled".

ListEnqueue Count

Indicates how many nodes have been queued for freeing.

Node Malloc Counts

Indicates how many nodes are allocated.

Related Commands

Command

Description

showsnmpmib

Displays a list of the MIB OIDs registered on the system.

show ssh

To display the status of Secure Shell (SSH) server connections on the router, use the
showssh command in user EXEC or privileged EXEC mode.

showsshvty [ssh-number]

Syntax Description

vty

Displays virtual terminal line (VTY) connection details.

ssh-number

(Optional) The number of SSH server connections on the router. Range is from 0 to 1510. The default value is 0.

Command Modes

User Exec (>)
Privileged EXEC (#)

Command History

Release

Modification

12.1(15)T

This command was introduced.

12.2(33)SRA

This command was modified. It was integrated into Cisco IOS Release 12.2(33)SRA.

12.2(33)SXI

This command was modified. It was integrated into Cisco IOS Release 12.2(33)SXI.

Cisco IOS XE Release 2.1

This command was modified. It was integrated into Cisco IOS XE Release 2.1.

Usage Guidelines

Use the
showssh command to display the status of the SSH connections on your router. This command does not display any SSH configuration data. Use the
showipssh command for SSH configuration information such as timeouts and retries.

Examples

The following is sample output from the
showssh command with SSH enabled:

Related Commands

Changes how long a TCP connection will be managed by the TCP intercept after no activity.

iptcpinterceptfinrst-timeout

Changes how long after receipt of a reset or FIN-exchange the software ceases to manage the connection.

iptcpinterceptlist

Enables TCP intercept.

showtcpinterceptconnections

Displays TCP incomplete and established connections.

show tech-support alg

To display application layer gateway (ALG)-specific information to assist in troubleshooting, use the show tech-support alg command in privileged EXEC mode.

show tech-support alg platform

Syntax Description

platform

Displays platform-specific ALG information.

Command Modes

Privileged EXEC (#)

Command History

Release

Modification

Cisco IOS XE Release 3.9S

This command was introduced.

Usage Guidelines

The show tech-support alg command is useful for collecting a large amount of information about ALGs for troubleshooting purposes. The output of this command can be provided to technical support representatives when reporting a problem. The command output displays the output of a number of show commands at once. The output from this command varies depending on your platform and configuration.

Examples

The following is sample output from the show tech-support alg platform command:

Command Modes

Command History

This command was implemented on the Cisco ASR 1000 Series Aggregation Service Routers.

Cisco IOS XE Release 3.7S

This command was modified. The
platform keyword was added. The output was enhanced to display platform specific information about the IPsec flow.

Usage Guidelines

The
showtech-supportipsec command simplifies the collection of IPsec-related information if you are troubleshooting a problem.

The
showtech-supportipsec command without any keywords displays the output from the following
show commands, as listed in the order below:

showversion

showrunning-config

showcryptoisakmpsacount

showcryptoipsecsacount

showcryptosessionsummary

showcryptosessiondetail

showcryptoisakmpsadetail

showcryptoipsecsadetail

showcryptoisakmppeers

showcryptorulesetdetail

showprocessesmemory|includeCryptoIKMP

showprocessescpu|includeCryptoIKMP

showcryptoeli

showcryptoengineacceleratorstatistic

The
showtech-supportipsec command with the
peer keyword and the
ipv4-address argument displays the output from the following
show commands, as listed in the order below:

showversion

showrunning-config

showcryptosessionremoteipv4addressdetail

showcryptoisakmpsapeeripv4addressdetail

showcryptoipsecsapeeripv4addressdetail

showcryptoisakmppeersipv4address

showcryptorulesetdetail

showprocessesmemory |
includeCryptoIKMP

showprocessescpu |
includeCryptoIKMP

showcryptoeli

showcryptoengineacceleratorstatistic

The
showtech-supportipsec command with the
vrfvrf-name keyword and argument displays the output from the following
show commands as listed in the order below:

showversion

showrunning-config

showcryptoisakmpsacountvrfvrf-name

showcryptoipsecsacountvrfvrf-name

showcryptosessionivrfivrf-namedetail

showcryptosessionfvrffvrf-namedetail

showcryptoisakmpsavrfvrf-namedetail

showcryptoipsecsavrfvrf-namedetail

showcryptorulesetdetail

showprocessesmemory |
includeCryptoIKMP

showprocessescpu |
includeCryptoIKMP

showcryptoeli

showcryptoengineacceleratorstatistic

The
show tech-support ipsec platform command displays the output from the following
show commands, as listed in the order below:

show clock

show version

show running-config

show crypto tech-support

show crypto isakmp sa count

show crypto ipsec sa count

show crypto isakmp sa detail

show crypto ipsec sa detail

show crypto session summary

show crypto session detail

show crypto isakmp peers

show crypto ruleset detail

show processes memory

show processes cpu

show crypto eli

show crypto engine accelerator statistic

show crypto isakmp diagnose error

show crypto isakmp diagnose error count

show crypto call admission statistics

Related Commands

Command

Description

showtech-support

Displays information about the device when the device reports a problem.

show tunnel endpoints

To display the contents of the tunnel endpoint database that is used for tunnel endpoint address resolution, when running a tunnel in multipoint generic routing encapsulation (mGRE) mode, use the
showtunnelendpointscommand in privileged EXEC mode.

showtunnelendpoints
[ tunneltunnel-number ]

Syntax Description

tunnel

(Optional) Specifies the tunnel interface. If a tunnel is specified, only the endpoint database for that tunnel is displayed. If a tunnel is not specified, endpoint databases for all tunnels are displayed.

tunnel-number

(Optional) Tunnel interface number. The range is from 0 to 2147483647.

Command Modes

Privileged EXEC (#)

Command History

Release

Modification

12.0(27)S

This command was introduced.

12.2(18)SXE

This command was integrated into Cisco IOS Release 12.2(18)SXE.

12.2(33)SRA

This command was integrated into Cisco IOS Release 12.(33)SRA.

12.4(11)T

This command was integrated into Cisco IOS Release 12.4(11)T.

Cisco IOS XE Release 2.1

This command was implemented on the Cisco ASR 1000 series routers.

Usage Guidelines

The output of
showtunnelendpoints command displays the tunnel destination and transport address together with any overlay or virtual private network (VPN) address that resolves to it.

Examples

The following example shows that there are two tunnel endpoints in the database that are associated with tunnel 1 (192.0.2.0 and 192.0.2.1). Through these endpoints, VPN destination 192.0.2.3 is reachable by tunneling to endpoint 192.0.2.0 and VPN destination 192.0.2.2 is reachable by tunneling to endpoint 192.0.2.1.

The table below describes the significant fields shown in the display..

Table 52 show tunnel endpoints Field Descriptions

Field

Description

Transport

Displays the transport address.

Refcount

Number of overlay addresses that are resolving through the destination address.

Base

Displays the base address.

Overlay

Displays the overlay address.

Parent

Reference to the tunnel endpoint.

Related Commands

Command

Description

tunnelmode

Sets the encapsulation mode for the tunnel interface.

tunnelprotection

Associates a tunnel interface with an IPSec profile.

show usb controllers

To display USB host controller information, use the showusbcontrollerscommand in privileged EXEC mode.

showusbcontrollers [controller-number]

Syntax Description

controller-number

(Optional) Displays information only for the specified controller.

Command Default

Information about all controllers on the system are displayed.

Command Modes

Privileged EXEC

Command History

Release

Modification

12.3(14)T

This command was introduced.

12.4(11)T

This command was integrated into the Cisco 7200VXR NPE-G2 platform.

Usage Guidelines

Use the showusbcontrollerscommand to display content such as controller register specific information, current asynchronous buffer addresses, and period scheduling information. You can also use this command to verify that copy operations are occurring successfully onto a USB flash module.

Examples

The following example is sample output from the showusbcontrollers command:

The following table describes the significant fields shown in the display.

Table 53 show usb device Field Descriptions

Field

Description

Device handle

Internal memory handle allocated to the device.

Device Class code

The class code supported by the device.

This number is allocated by the USB-IF. If this field is reset to 0, each interface within a configuration specifies its own class information, and the various interfaces operate independently. If this field is set to a value between 1 and FEH, the device supports different class specifications on different interfaces, and the interfaces may not operate independently. This value identifies the class definition used for the aggregate interfaces. If this field is set to FFH, the device class is vendor-specific.

Device Subclass code

The subclass code supported by the device. This number is allocated by the USB-IF.

Device Protocol

The protocol supported by the device. If this field is set to 0, the device does not use class-specific protocols on a device basis. If this field is set to 0xFF, the device uses a vendor-specific protocol on a device basis.

Interface Class code

The class code supported by the interface. If the value is set to 0xFF, the interface class is vendor specific. All other values are allocated by the USB-IF.

Interface Subclass code

The subclass code supported by the interface. All values are allocated by the USB-IF.

Interface Protocol

The protocol code supported by the interface. If this field is set to 0, the device does not use a class-specific protocol on this interface. If this field is set to 0xFF, the device uses a vendor-specific protocol for this interface.

Max Packet

Maximum data packet size, in bytes.

show usb driver

To display information about registered USB class drivers and vendor-specific drivers, use the
showusbdrivercommand in privileged EXEC mode.

showusbdriver [index]

Syntax Description

index

(Optional) Displays information only for drivers on the specified index.

The following table describes the significant field shown in the display.

Table 54 show usb driver Field Descriptions

Field

Description

Owner Mask

Indicates the fields that are used in enumeration comparison. The driver can own different devices on the basis of their product or vendor IDs and device or interface class, subclass, and protocol codes.

Syntax Description

(Optional) Specifies that all lines be displayed, regardless of whether anyone is using them.

wide

(Optional) Specifies that the wide format be used.

slot

(Optional) Displays information about remote logins to other processes in the chassis.

slot-number

(Optional) The slot number.

summary

(Optional) Displays a summary of user sessions.

lawful-intercept

(Optional) Displays lawful-intercept users.

Command Modes

User EXEC (>)
Privileged EXEC (#)

Command History

Release

Modification

10.0

This command was introduced.

12.3(2)T

The
summary keyword was introduced.

12.3(7)T

The
lawful-intercept keyword was introduced.

12.2(33)SRB

This command was integrated into Cisco IOS Release 12.2(33)SRB.

12.2(33)SXI

This command was modified in a release earlier than Cisco IOS Release 12.2(33)SXI. The
slot keyword and
slot-number argument were added.

Cisco IOS XE Release 2.1

This command was implemented on the Cisco ASR 1000 Series Aggregation Sevices Routers.

Usage Guidelines

This command displays the line number, connection name, idle time, hosts (including virtual access interfaces), and terminal location. An asterisk (*) indicates the current terminal session.

If the
lawful-intercept keyword is issued, the names of all users who have access to a configured lawful intercept view will be displayed. To access the
showuserslawful-intercept command, you must be an authorized lawful-intercept-view user.

When an idle timeout is configured on a full virtual access interface and a subvirtual access interface, the
showusers command displays the idle time for both the interfaces. However, if the idle timeout is not configured on both the interfaces, then the
showusers command will display the idle time for the full virtual access interface only.